USG40 - disable DPD on IKEv2

train_wreck
train_wreck Posts: 3
First Comment Third Anniversary
edited April 2021 in Security
I want to disable DPD on an IKEv2 site-to-site tunnel. How do I do this? There is no "dpd" command available under "ikev2 policy <policyname>". The only setting available is "dpd-interval", and the only valid values are 15-60. There is no option in the GUI. I tried "no dpd-interval", and the CLI accepted the input, but the DPDs continue to be sent, and the CLI still reports it being enabled when running "show ikev2 policy". Firmware is latest version available as of this post.

What's the secret here?

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,177
    100 Answers 1000 Comments Friend Collector Fifth Anniversary
     Guru Member

    Hi @train_wreck  

    The DPD function can be disabled by CLI command:

    Router(config-ikev2 NAME)# no dpd-interval

    However, this will disable the DPD sending out proactively

    If peer side DPD still working, the device will reply it.

    So this function need to be disabled on both of sides.

     

    The DPD function is a mechanism to check peer device networking status to prevent zombie tunnel situation and it is enabled by default. It’s also recommended to enable it on both sites. 

Security Highlight